Service Accounts used to start CCS with SSL

book

Article ID: 192028

calendar_today

Updated On:

Products

CA Identity Manager CA Identity Governance CA Identity Portal CA Identity Suite

Issue/Introduction

What is the best practice for selecting an account to start the CA Identity Manager C++ Connector Server (CCS) service on Windows?


Environment

Release : 14.x

Component :
IdentityMinder(Identity Manager)
Identity Suite (Virtual Appliance)

Resolution

The CA Identity Manager and Identity Governance product documentation (link below) offers the following guidance:

https://techdocs.broadcom.com/content/broadcom/techdocs/us/en/ca-enterprise-software/layer7-identity-and-access-management/identity-management-and-governance-connectors/1-0/connectors/microsoft-connectors/microsoft-active-directory-microsoft-exchange-and-microsoft-lync/how-to-connect-to-active-directory.html


Check the Account Used to Run the CCS Service
Normally, the account used to start the CCS is the Local System account. However, to allow the connector to manage Active Directory, start the CCS with the account that installed the root CA.

Use this procedure to check that the CCS service is logged on properly.


Follow these steps:

  1. In Control Panel, select Administrative Tools, Services.
  2. Double-click the C++ Connector Server entry.
  3. Verify that the account that runs the service is the same account that was used to install the Root CA.
  4. Verify that the account password is correct.
  5. If you changed either the account or password, restart the CCS service.

The documentation does not make it clear but the service account is completely separate from the account used to acquire an Active Directory Endpoint. The Service account is only used to stop and start the C++ Connector Server service. It is a best practice to have the Service Account import the necessary SSL certificates to avoid mistakes importing the SSL certificate into the correct locations.

Active Directory has three types of service account and each has its own operational purpose.  Selecting the one appropriate to your environment is something that should be discussed with your Active Directory team.

Built-in local user accounts include the System account (for local system administration), the Local Service account which accesses network services with no credentials, and the Network Service account which accesses network resources using the computer’s credentials.

Domain user accounts are intended for use by services and are centrally managed by Active Directory. It’s possible to create a user account for a single service or to share it across multiple services. However, with domain user accounts, you can only grant the privileges required by the service, and you need to reset passwords regularly.

Active Directory managed service accounts are similar to domain user accounts, but the password is reset regularly and automatically. With Active Directory managed service accounts, you can only assign one user account per computer, and each account can be used with multiple services on the computer. Alternatively, you can create separate accounts for each service.